No warranty, no promises, no pack drill. If your machine turns into a pool of grey goo or if you are invaded by script kiddies from the planet acne, it's your problem not mine.
Please email me with comments, corrections, glaring security holes etc. so we can try and put together a stable resource.
Just for context, my firewall machine is an ancient 486 laptop with two PC Card ethernet interfaces. I was running FBSD 4.2-stable when I set it up, currently 4.3-beta.
# Example rc.config lines # Say this machine is a gateway. gateway_enable="YES" # Network interfaces, replace ed0 and ep0 with your actual external # and internal interfaces. # What I have, interfaces set up by PC Card demon. #network_interfaces="lo0" # What you probably want for a non-laptop. network_interfaces="lo0 ed0 ep0" # External is controled by BY via dhcp ifconfig_ed0="dhcp" # Internal is fixed. Replace network address with your choice of course. ifconfig_ep0="inet 10.0.0.8" # Turn on natd so machines inside can access the world natd_enable="YES" natd_interface="ed0" natd_flags="-config /etc/natd.conf" # Turn on firewall so adolescents outside stay there firewall_enable="YES" firewall_script="/etc/rc.firewall.local" firewall_type="open"
# http on this machine is really http on 10.0.0.2 redirect_port tcp 10.0.0.2:80 80
# Attempt at a network protecting firewall # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Hacked around mercilessly by Richard Caley (richard@caley.org.uk) # http://richard.caley.org.uk/by_firewall.html # Do what thou will but don't blame me # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Interface connected to your internal network internal=ep0 # Interface connected to the cable modem external=ed0 # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the external interface. $fwcmd add divert natd all from any to any via "$external" # Allow all data from my network card and localhost. $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via "$internal" # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit "$external" setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via "$external" established # Everyone on the internet is allowed to connect to the following # services on the machine. Remove # from those you want #$fwcmd add allow tcp from any to any http setup #$fwcmd add allow tcp from any to any ftp setup #$fwcmd add allow tcp from any to any ssh setup #$fwcmd add allow tcp from any to any telnet setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any ident in recv "$external" # Allow outgoing DNS queries $fwcmd add allow udp from any to any domain out xmit "$external" # Allow them back in with the answers... :) $fwcmd add allow udp from any domain to any in recv "$external" # time synchronisation $fwcmd add pass udp from any to any ntp keep-state # dhcp $fwcmd add pass udp from any to any bootpc keep-state $fwcmd add allow udp from any to any bootps out xmit "$external" $fwcmd add allow udp from any bootps to any in recv "$external" # Igmp from CM, No one seems to know if this is necessary, so I # let it in. $fwcmd add allow igmp from 192.168.100.1 to any in via "$external" # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add allow icmp from any to any # Deny and log setups from outside, just deny the rest of the attempt $fwcmd add deny log tcp from any to any in via $external setup $fwcmd add deny tcp from any to any # Deny and log non tcp from outside $fwcmd add deny log ip from any to any in via $external # Deny all the rest. $fwcmd add 65435 deny log ip from any to any
Notes:
For a more sophisticated rule set see my IPFW page.
See Also:
